This application claims priority from Japanese patent application number 11-358178, filed Dec. 16, 1999, which is hereby incorporated herein by reference in its entirety.
1. Technical Field
The present invention relates to a method for evaluating policy descriptions for access control, and for enforcing a condition portion for implementing the policy descriptions.
2. Background Art
Conventional, well known policy description means for accessing a data file are, for example, KeyNotes [BFIK99] (PolicyMaker [BRL96]), GACL [WL93] [WL98] and ASL [JSSB97] by ATT. These policy descriptions, which are rules used to determine whether to permit access, are based on a list of three elements (Subj, Obj, Op) that is called an access control list (ACL). This means that a subject (Subj) of an access is permitted to perform a specific operation (Op) for an access target (Obj). Therefore, in order to respond to all access requests, ACLs must be prepared for all possible combinations of the three.
To simplify the access control policy, the above policy description means describes pattern matching using a variable, and introduces the rule ACL(subj, Obj, Op)←Cond(subj, Obj, Op) in order to write a condition formula for limiting a variable. That is, since it is difficult and requires too much effort to prepare, in response to an access request, ACLs that correspond to each combination of three elements, an abstract of the policy is created by using a variable, and upon the receipt of a relevant access request for the variable, access control is exercised in accordance with a corresponding ACL.
Two different methods are used when describing an operation performed for a control target on an ACL: a method by which only operations that are permitted are described, and a method by which both operations that are and operation that is not permitted are described. The first method is used with the Closed World Assumption. According to the Closed World Assumption, when the applicable interpretation is that no available ACL corresponds to a particular access request, the specified operation is not permitted. Therefore, when in an ACL only those operations that are permitted are described, and an access request does not match any entry in the ACL, the requested operation is rejected unconditionally. The second method is used for GACL, and in this case, the Default assumption is that an operation is permitted so long as a distinctly negative operation is not requested.
Although policy evaluation methods may differ in various respects, all of the conventional policy evaluation systems return an evaluation decision as a binary, Yes or No, result. In other words, a value of 1 or 0 is returned in reply to a question ?-ACL(subj, obj, op).
As is described above, according to the policy evaluation techniques used for conventional access control, a policy evaluation performed in response to an access request produces a simple binary result, either Yes or No. That is, in response to an access request, the conventional technique determines only whether access should or should not be permitted. Thus, the conventional technique is not sufficiently flexible, and it can not provide a conditional response, such as a Yes (a conditional Yes) that is dependent on the establishment of a specific state.
Therefore, generally it is not possible to provide complicated access control that is dependent on various conditions, such as: the issuing of an instruction to permit access, the embedding of an electronic watermark in data that are read or the writing of an access log when data encoding or format conversion is to be performed, or the issuing of an instruction to permit access when a time condition is the controlling factor.
To resolve the above technical shortcomings, upon the receipt of an access request, one object of the present invention, when exercising access control, is not only to determine, basically, whether access should or should not be permitted, but also to evaluate for acceptability an access request for which access permission is dependent on the establishment of a specific condition.
It is another object of the present invention to recurrently evaluate a specific condition if it is requested that a condition that is being evaluated to grant access permission under a condition should establish the specific condition.
To achieve the above objects, according to the present invention, an access control system comprises: a resource document in which a policy description is stored that is associated with data stored in a data file; policy evaluation means for receiving an external request for accessing the data file, for extracting, from the resource document, the policy description that is associated with target data for the access request, and for evaluating the policy description to determine whether or not the access request is to be permitted; enforcement function verification means for, when an existing condition is such that the policy description can not be evaluated using only the information included in the policy evaluation means, determining whether the condition can be evaluated or can be established; and enforcement means for evaluating or establishing the condition that, in accordance with the enforcement function verification means, is capable of being evaluated or established.
A plurality of the enforcement means can be provided in accordance with the evaluation or the establishment of the condition, which can not be evaluated using only the information included in the policy evaluation means. When the plurality of enforcement means are provided, the enforcement function verification means further determines whether a condition that one of the enforcement means has received from the policy evaluation means can be evaluated or established. This arrangement is preferable because the contents of a condition can be coped with flexibly. For the verification process to be performed by an enforcement means that can evaluate or establish a condition, a list can be employed in which a component of the enforcement means and a condition governing an operation that the pertinent component can enforce are stored in correlation with each other.
When access of a different data portion is required in order to evaluate or establish a condition that is determined by the enforcement function verification means can be evaluated or established, the enforcement means issues, to the policy evaluation means, a request to access the different data portion. Upon the receipt of the access request from the enforcement means, as well as upon the receipt of an external access request, the policy evaluation means evaluates a policy description that is associated with data to be accessed. This arrangement is superior in that an access request can be recurrently issued to evaluate or establish the condition. The data portion may be either a different portion of a document to be accessed or a predetermined portion of another document.
The enforcement means includes: writing/alteration target detection means for detecting a data portion in the data file that is a target for writing or alteration, and for issuing an access request to the policy evaluation means; and writing/alteration execution means for, when in response to the access request access permission is received from the policy evaluation means, writing or altering the data portion, wherein the writing/alteration execution means prepares a desired function by using a plug-in. This arrangement is preferable because a complicated process for evaluating or establishing a condition can be flexibly coped with by adding a corresponding function using a plug-in. When an access target is an XML document, the writing/alteration execution means can be an XSL processor, which is a standard tool for reading XML data, and a conversion rule, for generating new XML data. In this case, plug-in software can be added to carry out a complicated process.
An access control method, for receiving an external request for accessing a predetermined data file and for evaluating a policy description associated with the data that are to be accessed to determine whether or not the access request is to be permitted, comprises the steps of: receiving an access request and obtaining a policy description that is associated with the data that are to be accessed; evaluating a condition in the obtained policy description; determining, when a condition that can not be currently evaluated is present in the policy description, whether a process that satisfies the condition is capable of being enforced; performing the process that satisfies the condition when it is ascertained that the process is capable of being enforced; and employing, after the process that satisfies the condition has been performed, the evaluation results for all the conditions in the policy description to determine whether or not the access that is requested is to be permitted. The process that satisfies the condition is a process for evaluating or establishing the pertinent condition.
The step of evaluating the conditions in the policy description includes the steps of: comparing a parameter of the access request with a rule in the policy description, and detecting a matching rule; evaluating condition portions in the rule that is detected; and when the condition portions of the rule can not be currently evaluated, collecting the condition portions and moving to a step at which whether a process for satisfying the condition portions is capable of being performed is determined.
The access control method further comprises the step of: employing, when a plurality of rules that match the parameter of the access request are detected before the performance of the step of evaluating the condition portions of the rule in the policy description, a predetermined rule to determine a priority order for evaluating the rule. With this arrangement, an appropriate rule can be applied when there are a plurality of rules that match the condition. The priority order may be determined in accordance with a priority that is provided for a policy rule. When as rules that match the same condition there are a policy rule for inhibiting access and a policy rule for permitting access, the policy rule that inhibits access may be employed first in order to prevent the careless granting of access permission.
The step of determining whether the process that satisfies the condition in the policy description is capable of being performed includes the steps of: receiving the set of the conditions that have been prepared, at the step for evaluating the condition in the policy description, for the rule that can not be evaluated based only on information in the policy description, and extracting the conditions separately; determining whether a function has been prepared for performing a process that satisfies each of the conditions; and calling the function for performing the process that satisfies the condition when it is ascertained that the function has been prepared. To determine whether the function for performing the process that satisfies the condition has been prepared or not, the above described list can be employed wherein a component of the enforcement means and a condition that the pertinent component can enforce are stored in correlation with each other.
The step of performing the process that satisfies the condition in the policy description includes: employing the function that is called at the step of determining whether the process that satisfies the condition in the policy description can be enforced, and detecting, based on the condition of the policy description, a data portion in a predetermined data file for writing or for alteration; issuing a request for an access required for the writing or the alteration; and writing data to the data portion or changing the data portion upon the receipt of access permission in response to the request for the access that is required in order to perform the writing or the alteration. The data portion is another portion of a document to be accessed, or a predetermined portion of another document.
According to the present invention, a storage medium is provided on which a program is stored that can be read by input means of a computer, the program permitting the computer to perform: a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with the data that are to be accessed; a process for evaluating a condition in the obtained policy description; a process for determining, when a condition that can not be currently evaluated is present in the policy description, whether a process that satisfies the condition is capable of being enforced; a process for performing the process that satisfies the condition when it is ascertained that the process that satisfies the condition is capable of being enforced; and a process for employing, after the process that satisfies the condition has been performed, the evaluation results for all the conditions in the policy description to determine whether or not the access that is requested is to be permitted. With this arrangement, a computer that has loaded the program can evaluate the granting of access permission under an applicable condition.
In order to perform the process that satisfies the condition in the policy description, the program permits the computer to perform: a process for employing the function that is called at the step of determining whether the process that satisfies the condition in the policy description can be enforced, and for detecting, based on the condition of the policy description, a data portion in a predetermined data file for writing or for alteration; a process for issuing a request for an access required for the writing or the alteration; and a process for writing data to the data portion or changing the data portion upon the receipt of access permission in response to the request for the access that is required in order to perform the writing or the alteration. With this arrangement, in order to satisfy an applicable condition, a computer that has loaded this program can recurrently issue a request to obtain access permission under the condition.
According to the present invention, a program transmission apparatus comprises: storage means for storing a program that permits a computer to perform a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with the data that are to be accessed, a process for evaluating a condition in the obtained policy description, a process for determining, when a condition that can not be currently evaluated is present in the policy description, whether a process that satisfies the condition is capable of being enforced, a process for performing the process that satisfies the condition when it is ascertained that the process that satisfies the condition is capable of being enforced, and a process for employing, after the process that satisfies the condition has been performed, the evaluation results for all the conditions in the policy description to determine whether or not the access that is requested is to be permitted; and transmission means for reading the program from the storage means and transmitting the program. The thus arranged program transmission apparatus can provide the technique of the present invention as a program provision form for a client that does not have a storage medium, such as a CD-ROM.
In order to perform the process that satisfies the condition in the policy description, the program stored in the storage means permits the computer to perform: a process for employing the function that is called at the step of determining whether the process that satisfies the condition in the policy description can be enforced, and for detecting, based on the condition of the policy description, a data portion in a predetermined data file for writing or for alteration; a process for issuing a request for an access required for the writing or the alteration; and a process for writing data to the data portion or changing the data portion upon the receipt of access permission in response to the request for the access that is required in order to perform the writing or the alteration.
Furthermore, according to the present invention, an access control system comprises: means for storing a policy description including a condition whereby reading of information written by a single source is permitted when format conversion is possible; means for, upon the receipt of a predetermined access request that matches the policy description, determining whether a function to establish the condition for the format conversion is included, and for, when it is ascertained that the function is included, calling and executing the function to establish the condition; and means for, when the function to establish the condition is executed, permitting an access in response to the access request. With this arrangement, the access can be permitted with transcoding serving as a condition.
Further, according to the present invention, an access control system comprises: means for storing a policy description including a condition whereby reading of information is permitted when an electronic watermark is to be embedded in a document to be accessed; means for, upon the receipt of a predetermined access request that matches the policy description, determining whether a function for embedding an electronic watermark to establish the condition is included, and for, when it is ascertained that the function is included, calling and executing the function to establish the condition; and means for, when the function to establish the condition is executed, permitting an access in response to the access request. With this arrangement, the access can be permitted under a condition for embedding of an electronic watermark serving as one mode of transcoding. It should be noted that the same process can be performed for the encoding of a document as another mode for transcoding.
Furthermore, according to the present invention, an access control system comprises: means for storing a policy description including a condition whereby accessing of a target document is permitted when an access history is to be written to the target document; means for, upon the receipt of a predetermined access request that matches the policy description, determining whether a function for writing the access history to the target document to establish the condition is included, and for, when it is ascertained that the function is included, calling and executing the function to establish the condition; and means for, when the function to establish the condition is executed, permitting an access in response to the access request. With this arrangement, the access can be permitted under a condition where an access history is written to the document.
The function for writing the access history to the document further comprises: means for recurrently issuing requests to access a document to write the access history. With this arrangement, while the recurrent accesses of the document to write the access history can be an evaluation target for access permission, the security can be improved. The target for the writing of the access history can be the document to be accessed, or a part of another document.
In addition, according to the present invention, an access control system comprises: means for storing a policy description including a condition whereby accessing of a target document is permitted when a time stamp of an access is to be written as an access history to the target document; means for, upon the receipt of a predetermined access request that matches the policy description, determining whether a function for writing the time stamp as the access history to the target document to establish the condition is included, and for, when it is ascertained that the function is included, calling and executing the function to establish the condition; and means for, when the function to establish the condition is executed, permitting an access in response to the access request. With this arrangement, the access permission is strictly granted under a time condition.
According to the present invention, an access control system comprises: a resource document in which a policy description is stored that is associated with data stored in a data file; policy evaluation means for receiving an external request for accessing the data file, for extracting, from the resource document, the policy description that is associated with target data for the access request, and for evaluating the policy description to determine whether or not the access request is to be permitted; and enforcement function verification means for performing another process to determine whether the condition can be evaluated or can be established. Operations required to evaluate or establish a condition that can not be evaluated using only the information owned by the policy evaluation means are the data form conversion of a data file to be accessed, and the operation for maintaining the access history of the data file to be accessed. That is, only when these operations can be executed, can an access request be granted for which this condition is the policy description.